Start:: SystemRestore: On CreateRestorePoint: CloseProcesses: StartPowerShell: # This snippet uses Sysinternals Sigcheck to upload file on VirusTotal. # Change the line containing the string "INSERTFILEPATHHERE" to the desired filepath # --- # It displays the following: entropy, file hashes, catalog name & signing chain, VirusTotal scan results and link to it. # It is also able to traverse symbolic links and directory junctions. # --- # NOTE: If the file is not known prior, it gets uploaded to VirusTotal and the result will be available in a few minutes. # You can search up the report by visiting the URL "https://www.virustotal.com/gui/file/" $TempDir = [System.IO.Path]::GetTempPath() $ZipPath = Join-Path $TempDir "SigcheckFRST.zip" $ExtractPath = Join-Path $TempDir "SigcheckFRST" Invoke-WebRequest -Uri "https://download.sysinternals.com/files/Sigcheck.zip" -OutFile $ZipPath -UseBasicParsing if (Test-Path $ExtractPath) { Remove-Item $ExtractPath -Recurse -Force } Expand-Archive -Path $ZipPath -DestinationPath $ExtractPath -Force $SigcheckExe = Join-Path $ExtractPath "sigcheck.exe" if (Test-Path $SigcheckExe) { $psi = New-Object System.Diagnostics.ProcessStartInfo $psi.FileName = $SigcheckExe $psi.Arguments = '-accepteula -a -h -i -m -l -vt -vs -nobanner "C:\Users\user\AppData\Local\NVIDIA Corporation\GfnRuntimeSdk\84eb1d68d4495a50d0ce0d2b7735c5c5\gamelan.py"' $psi.RedirectStandardOutput = $true $psi.StandardOutputEncoding = [System.Text.Encoding]::Unicode $psi.UseShellExecute = $false $psi.CreateNoWindow = $true $p = [System.Diagnostics.Process]::Start($psi) $output = $p.StandardOutput.ReadToEnd() $p.WaitForExit() Write-Output $output } else { Write-Host "Error: Sigcheck does not exist" } Remove-Item $ZipPath -Force EndPowerShell: CustomCLSID: HKU\S-1-5-21-1136957161-3500283756-3708303117-1001_Classes\CLSID\{03B29243-35DA-4858-920E-B70A007DF5AA}\InprocServer32 -> C:\Users\user\AppData\Local\Microsoft\EdgeUpdate\1.3.217.3\psuser_64.dll => No File CustomCLSID: HKU\S-1-5-21-1136957161-3500283756-3708303117-1001_Classes\CLSID\{1108FD1C-492F-4251-B9DB-77F0274267B2}\InprocServer32 -> C:\Users\user\AppData\Local\Microsoft\EdgeUpdate\1.3.187.37\psuser_64.dll => No File CustomCLSID: HKU\S-1-5-21-1136957161-3500283756-3708303117-1001_Classes\CLSID\{1C67DF85-7959-43C0-92F8-2CAD0314C31C}\InprocServer32 -> C:\Users\user\AppData\Local\Microsoft\EdgeUpdate\1.3.201.11\psuser_64.dll => No File CustomCLSID: HKU\S-1-5-21-1136957161-3500283756-3708303117-1001_Classes\CLSID\{22D49062-B8D3-4DD5-B9C2-A044EA04D5CD}\InprocServer32 -> C:\Users\user\AppData\Local\Microsoft\EdgeUpdate\1.3.223.11\psuser_64.dll => No File CustomCLSID: HKU\S-1-5-21-1136957161-3500283756-3708303117-1001_Classes\CLSID\{262BE1F8-0897-4692-9D50-E3F63DAA43E2}\InprocServer32 -> C:\Users\user\AppData\Local\Microsoft\EdgeUpdate\1.3.195.27\psuser_64.dll => No File CustomCLSID: HKU\S-1-5-21-1136957161-3500283756-3708303117-1001_Classes\CLSID\{2ABD6384-2E18-40E8-8439-F06D21E0B03D}\InprocServer32 -> C:\Users\user\AppData\Local\Microsoft\EdgeUpdate\1.3.195.43\psuser_64.dll => No File CustomCLSID: HKU\S-1-5-21-1136957161-3500283756-3708303117-1001_Classes\CLSID\{2B49DB21-41C5-44C0-8358-CA4C76205AE1}\InprocServer32 -> C:\Users\user\AppData\Local\Microsoft\EdgeUpdate\1.3.209.9\psuser_64.dll => No File CustomCLSID: HKU\S-1-5-21-1136957161-3500283756-3708303117-1001_Classes\CLSID\{2FDB3305-19B8-4FE2-972B-ED5E97CBBD6E}\InprocServer32 -> C:\Users\user\AppData\Local\Microsoft\EdgeUpdate\1.3.195.39\psuser_64.dll => No File CustomCLSID: HKU\S-1-5-21-1136957161-3500283756-3708303117-1001_Classes\CLSID\{41B09861-5409-4D44-8CA4-D49FBFAA2E6F}\InprocServer32 -> C:\Users\user\AppData\Local\Microsoft\EdgeUpdate\1.3.195.49\psuser_64.dll => No File CustomCLSID: HKU\S-1-5-21-1136957161-3500283756-3708303117-1001_Classes\CLSID\{448DD314-7FBB-429C-9DAA-C05A00D235A8}\InprocServer32 -> C:\Users\user\AppData\Local\Microsoft\EdgeUpdate\1.3.215.9\psuser_64.dll => No File CustomCLSID: HKU\S-1-5-21-1136957161-3500283756-3708303117-1001_Classes\CLSID\{4FFB4BD8-A109-4F25-A4DB-313678B19417}\InprocServer32 -> C:\Users\user\AppData\Local\Microsoft\EdgeUpdate\1.3.195.31\psuser_64.dll => No File CustomCLSID: HKU\S-1-5-21-1136957161-3500283756-3708303117-1001_Classes\CLSID\{5247F326-2FF0-4920-998E-12AA35F0883C}\InprocServer32 -> C:\Users\user\AppData\Local\Microsoft\EdgeUpdate\1.3.213.7\psuser_64.dll => No File CustomCLSID: HKU\S-1-5-21-1136957161-3500283756-3708303117-1001_Classes\CLSID\{5E9DEE2B-5F44-4C87-84B8-D2E7B11D7017}\InprocServer32 -> C:\Users\user\AppData\Local\Microsoft\EdgeUpdate\1.3.229.3\psuser_64.dll => No File CustomCLSID: HKU\S-1-5-21-1136957161-3500283756-3708303117-1001_Classes\CLSID\{5FC44EBC-3A1F-4FBB-85E5-34405788C8D7}\InprocServer32 -> C:\Users\user\AppData\Local\Microsoft\EdgeUpdate\1.3.187.41\psuser_64.dll => No File CustomCLSID: HKU\S-1-5-21-1136957161-3500283756-3708303117-1001_Classes\CLSID\{674CB023-C9D4-4286-B1FF-A1FF76AD4B27}\InprocServer32 -> C:\Users\user\AppData\Local\Microsoft\EdgeUpdate\1.3.227.11\psuser_64.dll => No File CustomCLSID: HKU\S-1-5-21-1136957161-3500283756-3708303117-1001_Classes\CLSID\{6A49690B-7DB6-424B-81CE-F51078F2A58D}\InprocServer32 -> C:\Users\user\AppData\Local\Microsoft\EdgeUpdate\1.3.203.13\psuser_64.dll => No File CustomCLSID: HKU\S-1-5-21-1136957161-3500283756-3708303117-1001_Classes\CLSID\{6DD6748E-7DAE-47EF-B4D5-03AA1B06D697}\InprocServer32 -> C:\Users\user\AppData\Local\Microsoft\EdgeUpdate\1.3.187.39\psuser_64.dll => No File CustomCLSID: HKU\S-1-5-21-1136957161-3500283756-3708303117-1001_Classes\CLSID\{72726D01-426C-4B35-8266-B4496CAA889E}\InprocServer32 -> C:\Users\user\AppData\Local\Microsoft\EdgeUpdate\1.3.183.29\psuser_64.dll => No File CustomCLSID: HKU\S-1-5-21-1136957161-3500283756-3708303117-1001_Classes\CLSID\{78C1ADF4-6DAE-4164-AEFA-4E3EAD9E750A}\InprocServer32 -> C:\Users\user\AppData\Local\Microsoft\EdgeUpdate\1.3.195.19\psuser_64.dll => No File CustomCLSID: HKU\S-1-5-21-1136957161-3500283756-3708303117-1001_Classes\CLSID\{79F05C14-E714-4C12-9924-93C812894CB0}\InprocServer32 -> C:\Users\user\AppData\Local\Microsoft\EdgeUpdate\1.3.195.57\psuser_64.dll => No File CustomCLSID: HKU\S-1-5-21-1136957161-3500283756-3708303117-1001_Classes\CLSID\{7EFB4924-4B93-4C43-9832-9C3D05E85214}\InprocServer32 -> C:\Users\user\AppData\Local\Microsoft\EdgeUpdate\1.3.195.59\psuser_64.dll => No File CustomCLSID: HKU\S-1-5-21-1136957161-3500283756-3708303117-1001_Classes\CLSID\{83F21C4B-8643-4A08-A29A-822AFD835037}\InprocServer32 -> C:\Users\user\AppData\Local\Microsoft\EdgeUpdate\1.3.193.5\psuser_64.dll => No File CustomCLSID: HKU\S-1-5-21-1136957161-3500283756-3708303117-1001_Classes\CLSID\{8DC94452-5748-435A-B24F-B0F57718821E}\InprocServer32 -> C:\Users\user\AppData\Local\Microsoft\EdgeUpdate\1.3.225.7\psuser_64.dll => No File CustomCLSID: HKU\S-1-5-21-1136957161-3500283756-3708303117-1001_Classes\CLSID\{9C391760-8CB8-4F1E-AB7D-0C9915EFB004}\InprocServer32 -> C:\Users\user\AppData\Local\Microsoft\EdgeUpdate\1.3.211.7\psuser_64.dll => No File CustomCLSID: HKU\S-1-5-21-1136957161-3500283756-3708303117-1001_Classes\CLSID\{A087E49F-1F8E-4603-A200-55537B737421}\InprocServer32 -> C:\Users\user\AppData\Local\Microsoft\EdgeUpdate\1.3.195.25\psuser_64.dll => No File CustomCLSID: HKU\S-1-5-21-1136957161-3500283756-3708303117-1001_Classes\CLSID\{A78355B5-2A4D-486B-B97A-43448FC8C34D}\InprocServer32 -> C:\Users\user\AppData\Local\Microsoft\EdgeUpdate\1.3.207.5\psuser_64.dll => No File CustomCLSID: HKU\S-1-5-21-1136957161-3500283756-3708303117-1001_Classes\CLSID\{AE1542A7-3989-481B-93A9-1500C5F56B14}\InprocServer32 -> C:\Users\user\AppData\Local\Microsoft\EdgeUpdate\1.3.185.27\psuser_64.dll => No File CustomCLSID: HKU\S-1-5-21-1136957161-3500283756-3708303117-1001_Classes\CLSID\{B258532D-3529-4BEB-BF38-F08F98B3968C}\InprocServer32 -> C:\Users\user\AppData\Local\Microsoft\EdgeUpdate\1.3.195.15\psuser_64.dll => No File CustomCLSID: HKU\S-1-5-21-1136957161-3500283756-3708303117-1001_Classes\CLSID\{BB04C6F8-598E-4733-ABB4-07489C863436}\InprocServer32 -> C:\Users\user\AppData\Local\Microsoft\EdgeUpdate\1.3.205.9\psuser_64.dll => No File CustomCLSID: HKU\S-1-5-21-1136957161-3500283756-3708303117-1001_Classes\CLSID\{BC4C72EF-3055-4A6D-86E1-AE4D24DB63CA}\InprocServer32 -> C:\Users\user\AppData\Local\Microsoft\EdgeUpdate\1.3.195.35\psuser_64.dll => No File CustomCLSID: HKU\S-1-5-21-1136957161-3500283756-3708303117-1001_Classes\CLSID\{BCF99248-58CE-4562-B227-14D1E171B49D}\InprocServer32 -> C:\Users\user\AppData\Local\Microsoft\EdgeUpdate\1.3.221.3\psuser_64.dll => No File CustomCLSID: HKU\S-1-5-21-1136957161-3500283756-3708303117-1001_Classes\CLSID\{C88B3957-621C-415B-8EE5-B688FC7EF924}\InprocServer32 -> C:\Users\user\AppData\Local\Microsoft\EdgeUpdate\1.3.195.61\psuser_64.dll => No File CustomCLSID: HKU\S-1-5-21-1136957161-3500283756-3708303117-1001_Classes\CLSID\{CAE1760A-CB07-481B-8F9A-BC65510AF5D5}\InprocServer32 -> C:\Users\user\AppData\Local\Microsoft\EdgeUpdate\1.3.185.21\psuser_64.dll => No File CustomCLSID: HKU\S-1-5-21-1136957161-3500283756-3708303117-1001_Classes\CLSID\{D2188EEC-2B0F-488C-8ECA-5285E8ECD87D}\InprocServer32 -> C:\Users\user\AppData\Local\Microsoft\EdgeUpdate\1.3.195.69\psuser_64.dll => No File CustomCLSID: HKU\S-1-5-21-1136957161-3500283756-3708303117-1001_Classes\CLSID\{D8599F80-3D26-46D2-8CF1-0AD21B0ECF31}\InprocServer32 -> C:\Users\user\AppData\Local\Microsoft\EdgeUpdate\1.3.195.65\psuser_64.dll => No File CustomCLSID: HKU\S-1-5-21-1136957161-3500283756-3708303117-1001_Classes\CLSID\{DAA7499A-B3AC-4419-A89B-124318504051}\InprocServer32 -> C:\Users\user\AppData\Local\Microsoft\EdgeUpdate\1.3.185.29\psuser_64.dll => No File CustomCLSID: HKU\S-1-5-21-1136957161-3500283756-3708303117-1001_Classes\CLSID\{E3D57E77-FE71-4D06-BD34-D48820074909}\InprocServer32 -> C:\Users\user\AppData\Local\Microsoft\EdgeUpdate\1.3.181.5\psuser_64.dll => No File CustomCLSID: HKU\S-1-5-21-1136957161-3500283756-3708303117-1001_Classes\CLSID\{E76F97B1-1AE9-497C-9FA4-F57BBABAD54A}\InprocServer32 -> C:\Users\user\AppData\Local\Microsoft\EdgeUpdate\1.3.185.17\psuser_64.dll => No File CustomCLSID: HKU\S-1-5-21-1136957161-3500283756-3708303117-1001_Classes\CLSID\{ECCE2756-C45D-4E13-BC2D-EC9F138997E6}\InprocServer32 -> C:\Users\user\AppData\Local\Microsoft\EdgeUpdate\1.3.199.11\psuser_64.dll => No File CustomCLSID: HKU\S-1-5-21-1136957161-3500283756-3708303117-1001_Classes\CLSID\{F1658933-2997-4DDB-869C-061D53A9718E}\InprocServer32 -> C:\Users\user\AppData\Local\Microsoft\EdgeUpdate\1.3.195.21\psuser_64.dll => No File CustomCLSID: HKU\S-1-5-21-1136957161-3500283756-3708303117-1001_Classes\CLSID\{F46A78BD-06FC-442C-88DF-0500F08F2379}\InprocServer32 -> C:\Users\user\AppData\Local\Microsoft\EdgeUpdate\1.3.195.45\psuser_64.dll => No File AlternateDataStreams: C:\ProgramData\DP45977C.lfl:677104FCAA [2594] AlternateDataStreams: C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini:B1DA6C571C [2594] AlternateDataStreams: C:\ProgramData\Microsoft\Windows\Start Menu\Uninstall.lnk:DA1661C37D [2594] AlternateDataStreams: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Epic Games Launcher.lnk:BE32D07BC5 [2594] AlternateDataStreams: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Excel.lnk:B96E9B8455 [2594] AlternateDataStreams: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Keil uVision4.LNK:08CFEED1E2 [2594] AlternateDataStreams: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Notepad++.lnk:159ADC9AA1 [2594] AlternateDataStreams: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\OneNote.lnk:60EC9648C0 [2594] AlternateDataStreams: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PowerPoint.lnk:1DC1525F34 [2594] AlternateDataStreams: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Sticky Notes (new).lnk:3DF0A9C0EF [2594] AlternateDataStreams: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Sticky Notes (new).lnk:954E53D7F9 [2594] AlternateDataStreams: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Word.lnk:7AD7FA8AB1 [2594] AlternateDataStreams: C:\Users\user\Desktop\FRST64.exe:MBAM.Zone.Identifier [225] FirewallRules: [{55EFF69F-DCD3-4F42-B100-6816AFF8DBDE}] => (Allow) E:\Program Files (x86)\Steam\steam.exe => No File FirewallRules: [{D572D4D8-20CD-48C0-B27C-2B067F4817F8}] => (Allow) E:\Program Files (x86)\Steam\steam.exe => No File FirewallRules: [{462DA9F3-4D60-4854-9A37-761ABACBE4E7}] => (Allow) C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe => No File FirewallRules: [{054E7E19-AA2A-4F38-BAE6-1780FF474C65}] => (Allow) C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe => No File FirewallRules: [TCP Query User{9C359DDB-FD96-410A-8726-A8109159F0BA}C:\program files (x86)\steam\steamapps\common\divinity original sin 2\defed\bin\eocapp.exe] => (Allow) C:\program files (x86)\steam\steamapps\common\divinity original sin 2\defed\bin\eocapp.exe => No File FirewallRules: [UDP Query User{43F7AD25-797B-4B47-8ED1-3A985D21AE71}C:\program files (x86)\steam\steamapps\common\divinity original sin 2\defed\bin\eocapp.exe] => (Allow) C:\program files (x86)\steam\steamapps\common\divinity original sin 2\defed\bin\eocapp.exe => No File FirewallRules: [TCP Query User{55953DDE-7CEA-4786-B73E-8822C41D17DD}C:\users\user\desktop\xdd\summer clover\summerclover.exe] => (Allow) C:\users\user\desktop\xdd\summer clover\summerclover.exe => No File FirewallRules: [UDP Query User{2DEE0F34-D432-439B-A43E-02A4A50DE93E}C:\users\user\desktop\xdd\summer clover\summerclover.exe] => (Allow) C:\users\user\desktop\xdd\summer clover\summerclover.exe => No File FirewallRules: [{D62E4E39-E81E-461A-ACE1-7CE56632F710}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\ELDEN RING\Game\start_protected_game.exe => No File FirewallRules: [{F01BBE57-E808-4B2D-83EB-99AB7B6AD8C7}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\ELDEN RING\Game\start_protected_game.exe => No File FirewallRules: [TCP Query User{EE7902E7-8197-4920-B613-EDC296E72E82}C:\program files (x86)\steam\steamapps\common\baldurs gate 3\bin\bg3_dx11.exe] => (Allow) C:\program files (x86)\steam\steamapps\common\baldurs gate 3\bin\bg3_dx11.exe => No File FirewallRules: [UDP Query User{51A045DA-A072-45DE-A4FB-F2BDEE0A7DBD}C:\program files (x86)\steam\steamapps\common\baldurs gate 3\bin\bg3_dx11.exe] => (Allow) C:\program files (x86)\steam\steamapps\common\baldurs gate 3\bin\bg3_dx11.exe => No File FirewallRules: [TCP Query User{1FCC25F5-6667-42CE-834E-3B6896C713C7}C:\users\user\desktop\xdd\peeping.dorm.manager.build.14407700\peeping dorm manager.exe] => (Block) C:\users\user\desktop\xdd\peeping.dorm.manager.build.14407700\peeping dorm manager.exe => No File FirewallRules: [UDP Query User{3F4C5DF2-4C9F-446B-9CC5-DEEAAE7C2D8C}C:\users\user\desktop\xdd\peeping.dorm.manager.build.14407700\peeping dorm manager.exe] => (Block) C:\users\user\desktop\xdd\peeping.dorm.manager.build.14407700\peeping dorm manager.exe => No File FirewallRules: [TCP Query User{4182065F-9347-4ABB-BAA1-CB9787308D6F}C:\users\user\appdata\local\discord\app-1.0.9163\discord.exe] => (Block) C:\users\user\appdata\local\discord\app-1.0.9163\discord.exe => No File FirewallRules: [UDP Query User{79155EFD-1EA0-4D27-AC5E-A9E5DA3F4A94}C:\users\user\appdata\local\discord\app-1.0.9163\discord.exe] => (Block) C:\users\user\appdata\local\discord\app-1.0.9163\discord.exe => No File FirewallRules: [TCP Query User{4657C370-D25F-4E2A-88CC-1F77D83552DB}C:\riot games\2xko\live\lion\binaries\win64\lion-win64-shipping.exe] => (Allow) C:\riot games\2xko\live\lion\binaries\win64\lion-win64-shipping.exe => No File FirewallRules: [UDP Query User{8EE976B6-8C77-4464-8417-4BE720F6A121}C:\riot games\2xko\live\lion\binaries\win64\lion-win64-shipping.exe] => (Allow) C:\riot games\2xko\live\lion\binaries\win64\lion-win64-shipping.exe => No File FirewallRules: [{40C0372E-2A45-46F3-B2F3-BAC652F0F0EF}] => (Allow) C:\Program Files\Blackmagic Design\DaVinci Resolve\ElementsPanelDaemon.exe => No File HKLM\SOFTWARE\Microsoft\Windows Defender: [DisableAntiSpyware] Restriction <==== ATTENTION HKLM\SOFTWARE\Microsoft\Windows Defender: [DisableAntiVirus] Restriction <==== ATTENTION HKLM\SOFTWARE\Policies\Google: Restriction <==== ATTENTION HKLM\SOFTWARE\Policies\Microsoft\Edge: Restriction <==== ATTENTION Task: {113A2D73-A037-4A0B-AEFE-DC4F395D0590} - System32\Tasks\Compass Broker Paraguay 68922-117-1001 => C:\Users\user\AppData\Local\NVIDIA Corporation\GfnRuntimeSdk\84eb1d68d4495a50d0ce0d2b7735c5c5\pythonw.exe [104280 2026-05-14] (Python Software Foundation -> Python Software Foundation) -> "C:\Users\user\AppData\Local\NVIDIA Corporation\GfnRuntimeSdk\84eb1d68d4495a50d0ce0d2b7735c5c5\gamelan.py" <==== ATTENTION C:\Users\user\AppData\Local\NVIDIA Corporation\GfnRuntimeSdk\84eb1d68d4495a50d0ce0d2b7735c5c5 2026-05-14 22:30 - 2026-05-14 22:30 - 000003512 _____ C:\WINDOWS\system32\Tasks\Compass Broker Paraguay 68922-117-1001 2026-05-15 00:23 - 2024-03-03 02:52 - 000000000 ____D C:\Users\user\AppData\Roaming\RenPy StartPowerShell: # This snippet downloads Emsisoft Emergency Kit (EEK) from the Emsisoft's official site, updates it, scans with it. # Do note that the executable is 300MB and may take some time to download. # --- # This will scan for malware and PUP's in 1) system memory 2) important folders as documentation says # It will scan in compressed archives, in mail archives, in NTFS alternate data streams and use cloud requests # --- # You can use argument "/delete" to delete found objects including references but this is permanent and irreversible. # You can remove the "/quick" argument to do a full scan but that may take longer than what FRST can handle. # You can use argument "/quarantine="[folder]"" to put found malware into quarantine, but I personally prefer first verifying the detections. $downloadUrl = "https://dl.emsisoft.com/EmsisoftEmergencyKit.exe" $systemDrive = $env:SystemDrive $frstPath = "$systemDrive\FRST" $savePath = "$frstPath\EEK.exe" $extractPath = "$frstPath\EEK" if (-not (Test-Path $frstPath)) { New-Item -Path $frstPath -ItemType Directory -Force | Out-Null } if (-not (Test-Path $extractPath)) { New-Item -Path $extractPath -ItemType Directory -Force | Out-Null } Invoke-WebRequest -Uri $downloadUrl -OutFile $savePath -UseBasicParsing $proc = Start-Process -FilePath $savePath -ArgumentList "-s -d`"$extractPath`"" -PassThru while (-not (Test-Path "$extractPath\bin64\a2cmd.exe")) { Start-Sleep -Milliseconds 1000 } Stop-Process -Id $proc.Id -Force -ErrorAction SilentlyContinue if ([Environment]::Is64BitOperatingSystem) { $a2cmdPath = Join-Path $extractPath "bin64\a2cmd.exe" } else { $a2cmdPath = Join-Path $extractPath "bin32\a2cmd.exe" } Start-Process -FilePath $a2cmdPath -ArgumentList "/update" -Wait -NoNewWindow Start-Process -FilePath $a2cmdPath -ArgumentList "/malware /quick /m /t /pup /a /am /cloud=1 /la=`"$frstPath\EEK_scan.log`"" -Wait -NoNewWindow Get-Content "$frstPath\EEK_scan.log" exit EndPowerShell: StartPowerShell: # Downloads newest AdwCleaner version directly from Malwarebytes, performs an update, scans, cleans and writes the log in console # Does not clean preinstalled objects, only PUP/Adware # If you would like to delete preinstalled objects, add an argument /preinstalled to the /clean argument # If you would like to only scan with it, change the argument from /clean to /scan New-Item -ItemType Directory -Force -Path "$env:SystemDrive\AdwCleaner" | Out-Null Invoke-WebRequest -Uri "https://adwcleaner.malwarebytes.com/adwcleaner?channel=release" -OutFile "$env:SystemDrive\AdwCleaner\AdwCleanerFRST.exe" Start-Process -FilePath "$env:SystemDrive\AdwCleaner\AdwCleanerFRST.exe" -ArgumentList "/eula" -Wait -WindowStyle Hidden $logFile = "$env:SystemDrive\AdwCleaner\AdwCleanerOutputFRST.txt" Start-Process -FilePath "$env:SystemDrive\AdwCleaner\AdwCleanerFRST.exe" -ArgumentList "/noreboot /clean" -Wait -WindowStyle Hidden -RedirectStandardOutput $logFile Get-Content $logFile -Encoding Unicode Remove-Item -Path $logFile -Force -ErrorAction SilentlyContinue EndPowerShell: CMD: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /v "SmartScreenEnabled" /t REG_SZ /d "Warn" /f CMD: reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "EnableWebContentEvaluation" /t REG_DWORD /d 1 /f CMD: netsh int ip reset CMD: netsh int ipv6 reset CMD: ipconfig /flushDNS CMD: netsh winsock reset catalog C:\Users\CurrentUserName\AppData\Local\Temp\* C:\Windows\Temp\* C:\Windows\SystemTemp\* EmptyTemp: End::